Protection against Man-in-the-Middle Attacks in Virtualization Environments

ABSTRACT

A man-in-the-middle protection module can monitor data traffic exchanged between a source and destination nodes over a source-destination link via a network. The module can utilize a traffic probe packet to determine a packet delay associated with the data traffic. The module can store the packet delay and can determine that the packet delay is greater than a normal packet delay. If so, the module can determine that an attacker has compromised the source-destination link. The module can command a virtual machine associated with the source node to be decommissioned. The module can instruct a virtualization orchestrator to create a new source node. The data traffic can be rerouted to be exchanged between the new source node and the destination node over a new source-destination link via the network. The module can create and send fake data traffic towards the MitM attacker over the source-destination link via the network.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S. patentapplication Ser. No. 16/795,785, entitled “Protection againstMan-in-the-Middle Attacks in Virtualization Environments,” filed Feb.20, 2020, now allowed, which is incorporated herein by reference in itsentirety.

BACKGROUND

In today's connected world, data has become a valuable resource togovernments, businesses, and individuals alike. Malicious attackers thatseek to obtain this resource use sophisticated cyber-attacks, such adenial-of-service (“DoS”), distributed denial-of-service (“DDoS”),man-in-the-middle (“MitM”), phi shing, eavesdropping, and passwordattacks, among others, to steal personal, financial, and other sensitivedata. As a result, cyber security has become a primary focus ofgovernments, businesses, and individuals to prevent cyber-attacks and toremediate after an attack. Prevention, however, is paramount andexisting prevention methodologies are not well-suited for virtualizedenvironments that are becoming more commonplace today.

SUMMARY

Concepts and technologies disclosed herein are directed to protectionagainst man-in-the-middle (“MitM”) attacks in virtualizationenvironments. According to one aspect of the concepts and technologiesdisclosed herein, a MitM protection (“MitMP”) module can monitor datatraffic exchanged between a source node and a destination node over asource-destination link via a network. The MitMP module can beassociated with the source node. The source node can include a virtualmachine. The MitMP module can utilize a traffic probe packet todetermine a packet delay value associated with the data trafficexchanged between the source node and the destination node over thesource-destination link via the network. The MitMP module can store thepacket delay value. The MitMP module can determine that the packet delayvalue is greater than a normal packet delay value. In response todetermining that the packet delay value is greater than the normalpacket delay value, the MitMP module can determine that a MitM attackerhas compromised the source-destination link. The MitMP module cancommand the virtual machine to be decommissioned. The MitMP module caninstruct a virtualization orchestrator to create a new source node, anew virtual machine, and a new MitMP module. The data traffic can bererouted to be exchanged between the new source node and the destinationnode over a new source-destination link via the network. The MitMPmodule can create fake data traffic that includes replica data packetsof data packets contained in the data traffic. The MitMP module can sendthe fake data traffic towards the MitM attacker over thesource-destination link via the network.

In some embodiments, the MitMP module can store the packet delay valuein a distributed ledger. The distributed ledger can be implemented viablockchain or other similar technology. The packet delay value caninclude an average packet delay value. The MitMP module can map thenetwork with a most recent packet delay value for each link in thenetwork. The MitMP module can determine that the packet delay value isgreater than the normal packet delay value by comparing the most recentpacket delay value to the normal packet delay value.

In some embodiments, the MitMP module can create the fake data trafficbased upon a characteristic of the data traffic. For example, the MitMPmodule can generate replica data packets of the data packets containedin the data traffic with the same payload size and header informationbut with different raw data. The raw data can be randomly orpseudo-randomly generated or can be sourced from a database of expiredor otherwise no longer relevant data.

According to another aspect of the concepts and technologies disclosedherein, a distributed MitMP system can include a plurality of nodesoperating in a network provided, at least in part, via a virtualizationenvironment. The plurality of nodes can include a source node and adestination node. The source node can include a virtual machine and aMitMP module. The MitMP module can include computer-executableinstructions that, when executed, perform operations. The MitMP modulecan monitor data traffic exchanged between the source node and thedestination node over a source-destination link via the network. TheMitMP module can utilize a traffic probe packet to determine a packetdelay value associated with the data traffic exchanged between thesource node and the destination node over the source-destination linkvia the network. The MitMP module can store the packet delay value andcan determine that the packet delay value is greater than a normalpacket delay value. In response to determining that the packet delayvalue is greater than the normal packet delay value, the MitMP modulecan determine that a MitM attacker has compromised thesource-destination link. The MitMP module can then command the virtualmachine to be decommissioned. The MitMP module also can instruct avirtualization orchestrator to create a new source node, a new virtualmachine, and a new man-in-the-middle protection module. The data trafficcan be rerouted to be exchanged between the new source node and thedestination node over a new source-destination link via the network. TheMitMP module can create fake data traffic that includes replica datapackets of data packets contained in the data traffic. The MitMP modulecan send the fake data traffic towards the MitM attacker over thesource-destination link via the network.

It should be appreciated that the above-described subject matter may beimplemented as a computer-controlled apparatus, a computer process, acomputing system, or as an article of manufacture such as acomputer-readable storage medium. These and various other features willbe apparent from a reading of the following Detailed Description and areview of the associated drawings.

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intendedthat this Summary be used to limit the scope of the claimed subjectmatter. Furthermore, the claimed subject matter is not limited toimplementations that solve any or all disadvantages noted in any part ofthis disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A and 1B are block diagrams illustrating aspects of anillustrative operating environment for various concepts disclosedherein.

FIG. 2 is a flow diagram illustrating aspects of a method for protectingagainst man-in-the-middle (“MitM”) attacks in virtualizationenvironments, according to an illustrative embodiment.

FIG. 3 is a block diagram illustrating an example computer systemcapable of implementing aspects of the embodiments presented herein.

FIG. 4 is a block diagram illustrating an example mobile device capableof implementing aspects of the embodiments disclosed herein.

FIG. 5 is a diagram illustrating a network, according to an illustrativeembodiment.

FIG. 6 is a diagram illustrating a cloud computing platform capable ofimplementing aspects of the embodiments disclosed herein.

DETAILED DESCRIPTION

The concepts and technologies disclosed herein provide a distributedman-in-the-middle protection (“MitMP”) system that resides in every nodeof a network and continuously monitors incoming and outgoing datatraffic of each node. The distributed MitMP system includes a pluralityof MitMP modules, each of which is associated with a specific node inthe network. The MitMP modules communicate with each other via trafficprobe packets to map out packet delays among all links in the network.The packet delay values for each link are known to each MitMP module andstored using a distributed ledger (e.g., blockchain or other similartechnology). Each MitMP module can map out the network with the mostrecent delay values. After a MitMP module detects that the data traffichas higher packet delays than normal (where normal delay can beestablished over time for each link in the network), the MitMP modulecan command a virtual machine that resides on the same node as the MitMPmodule to be decommissioned. The MitMP module can then communicate witha virtualization orchestrator, which can create a new node with a newMitMP module while the old node continues to send fake data trafficcreated by the MitMP module to convince the malicious attacker that theMitM attack is/was successful. Each MitMP module can be created by thevirtualization orchestrator. The virtualization orchestrator can keeptrack of the status of each MitMP module using a MitMP management modulethat handles all aspects and updates for all MitMP modules. Each MitMPmodule can have an authentication key to securely communicate with thevirtualization orchestrator.

While the subject matter described herein may be presented, at times, inthe general context of program modules that execute in conjunction withthe execution of an operating system and application programs on acomputer system, those skilled in the art will recognize that otherimplementations may be performed in combination with other types ofprogram modules. Generally, program modules include routines, programs,components, data structures, computer-executable instructions, and/orother types of structures that perform particular tasks or implementparticular abstract data types. Moreover, those skilled in the art willappreciate that the subject matter described herein may be practicedwith other computer systems, including hand-held devices, vehicles,wireless devices, multiprocessor systems, distributed computing systems,microprocessor-based or programmable consumer electronics,minicomputers, mainframe computers, routers, switches, other computingdevices described herein, and the like.

In the following detailed description, references are made to theaccompanying drawings that form a part hereof, and in which are shown byway of illustration specific embodiments or examples. Referring now tothe drawings, in which like numerals represent like elements throughoutthe several figures, aspects of the concepts and technologies disclosedherein for protection against MitM attacks in virtualizationenvironments will be described.

Referring now to FIG. 1A, aspects of an illustrative operatingenvironment 100A for various concepts disclosed herein will bedescribed. It should be understood that the operating environment 100Aand the various components thereof have been greatly simplified forpurposes of description. Accordingly, additional or alternativecomponents of the operating environment 100A can be made availablewithout departing from the embodiments described herein.

The illustrative operating environment 100A includes a virtualizationenvironment 102 that provides, at least in part, a network 104 overwhich a plurality of nodes can communicate. In the illustrated example,the network 104 includes a source node 106 and a destination node 108that are in communication with each other over the network 104 via asource-destination link 110. The source-destination link 110 has beencompromised by a MitM attack executed by a MitM attacker 112. The MitMattacker 112 can intercept data traffic 114 exchanged between the sourcenode 106 and the destination node 108. The data traffic 114 may containdata that is sensitive in nature, such as personal data, financial data,security data (e.g., username and password), and the like. Althoughaspects of the concepts and technologies disclosed herein focus onmalicious cyber-attacks, the concepts and technologies disclosed hereinmay find applicability to other implementations such as networkcongestion and/or other network phenomenon.

Both the source node 106 and the destination node 108 can be any nodecapable of communication via the network 104. For example, the sourcenode 106 and the destination node 108 can be any device, system, server,network function, virtual network function (“VNF”), network router,network switch, other network node, combinations thereof, and the like.The source node 106 and the destination node 108 can operate in anyplane of the network 104, including the control plane,application/management plane, or data plane. For ease of description,the source node 106 and the destination node 108 will be described in aclient-server configuration in which the source node 106 is the serverand the destination node 108 is the client operating in the data plane.It should be understood that this example is merely exemplary and shouldnot be construed as limiting in any way.

Both the source node 106 and the destination node 108 can include one ormore virtual machines (“VMs”). The illustrated source node 106 is shownwith one VM (“VM₁”) 116A. The illustrated destination node 108 is shownwith one VM (“VM₂”) 116B. The source node 106 and the destination node108 each can include a MitMP module 118A, 118B, respectively. The MitMPmodules 118A, 118B each maintain a distributed ledger 120 (e.g.,maintained using blockchain or similar technology) that is configured tostore a packet delay value for each link, such as the source-destinationlink 110 in the illustrated example. The packet delay value may be anaverage of packet delays experienced over a link over a specified periodof time. Alternatively, the packet delay value can be a single packetdelay value.

The MitMP modules 118 can determine an average packet delay value for agiven link via traffic probe packets 122. The traffic probe packets 122can be generated using an existing delay detector or a proprietaryprotocol. The proprietary protocol can enable the MitMP modules 118 tosend the traffic probe packets 122 with different sizes and differentintervals at once (next to each other) every X minutes, and the trafficprobe packets 122 can require responses from their respectivedestinations. The delay of the traffic probe packets 122 can beaveraged. Each MitMP module 118 can record the round trip times viareading the time stamps or by calculating the “time sent” of aparticular traffic probe packet 122 and the “time received” of receivingthe response for that particular traffic probe packet 122. The MitMPmodules 118 can record historical delays for time of the day, week,month, and can compare the historical delays with the current delay todetermine any outliers. The MitMP modules 118 can communicate with eachother through the network 104 to check if there is a general delayincrease all over the network 104 triggered by external factors (e.g.,temporarily heavy demand for a streaming football game or other event),and/or internal factors such as several nodes and/or links that are downfor maintenance or due to equipment failure. The MitMP modules 118 canadjust the packet delay compared to historical records to account forthe other factors beyond a malicious attack.

The illustrated distributed ledger 120 stores an average packet delayfor the source-destination link 110 (shown as packet delay_(Src-Dest)124). The distributed ledger 120 can store the average packet delay foran n^(th) link in the network 104 (shown as packet delay_(n) 124N). Then^(th) link can involve the source node 106, the destination node 108,or both the source node 106 and the destination node 108, and one ormore additional nodes (not shown). The MitMP module 118 of each node inthe n^(th) link can maintain the distributed ledger 120. In this manner,each MitMP module 118 can map out the network 104 with the most recentpacket delay values for all links in the network 104.

After the MitMP module₁ 118A (and/or the MitMP module2 118B as the casemay be) detects that the data traffic 114 has higher packet delays thannormal (where normal delay can be established over time for each link inthe network 104), the MitMP module₁ 118A can command the VM₁ 116A to bedecommissioned. In particular, the resources upon which the VM₁ 116Aoperates can be freed up (i.e., no longer dedicated to the VM₁ 116A).Also, any VM software can be erased.

The MitMP module₁ 118A can communicate with a virtualizationorchestrator 126 prior to, during, and after commanding the VM₁ 116A tobe decommissioned. Each of the MitMP modules 118 can communicate withthe virtualization orchestrator 126 on a secure dedicated channel (i.e.,a different channel than the channel being used for communicationsbetween the VM₁ 116A and the virtualization orchestrator 126). Each timea MitMP module 118 transacts with the virtualization orchestrator 126,the transaction can be logged in the distributed ledger 120.

After the VM₁ 116A has been decommissioned, the virtualizationorchestrator 126 can create a new node with a new MitMP module while thesource node 106 continues to send/receive fake data traffic created bythe MitMP module₁ 118A to convince the MitM attacker 112 that the MitMattack is/was successful. Each MitMP module 118 can be created by thevirtualization orchestrator 126. The virtualization orchestrator 126 cankeep track of the status of each MitMP module 118 using a MitMPmanagement module 128 that handles all aspects and updates by all MitMPmodules 118. Each MitMP module 118 can have an authentication key (notshown) to securely communicate with the virtualization orchestrator 126.

The virtualization orchestrator 126 can create the VMs 116 and the MitMPmodules 118 for any number of nodes using virtualization resources 130of the virtualization environment 102. The virtualization resources 130can include compute, memory, and other virtualized resources as bestillustrated and described herein with regard to an example cloudcomputing platform 600 shown in FIG. 6 .

Turning now to FIG. 1B, an operating environment 100B is shown after theVM₁ 116A has been commanded, by the MitMP module₁ 118A, to bedecommissioned. In particular, the operating environment 100B againshows the virtualization environment 102 introduced in FIG. 1A, but withthe source node 106 now shown as a decommissioned source node 106′ witha decommissioned VM₁ 116A′ and the MitMP module₁ 118A. In addition, thesource-destination link 110 (marked “old” in FIG. 1B) remains incommunication with the MitM attacker 112. The MitMP module₁ 118A canthen generate fake traffic that resembles the data traffic 114. The faketraffic is shown as MitMP module-generated data traffic 134. In someembodiments, the MitMP module-generated data traffic 134 can begenerated, by the MitMP module₁ 118A, based upon one or morecharacteristics of the data traffic 114. For example, the MitMP module₁118A may generate replica data packets of the data packets contained inthe data traffic 114 with the same payload size and/or header datum (orthe entirety of the header) but with different raw data. The raw datacan be randomly or pseudo-randomly generated or can be sourced from adatabase (not shown) of expired or otherwise no longer relevant data.

The virtualization orchestrator 126 can utilize the virtualizationresources 130 to create an n^(th) source node 106N with an nth VM 116N(marked “new” in FIG. 1B). The virtualization orchestrator 126 also cancreate the nth MitMP module 118N via the MitMP management module 128.The virtualization orchestrator 126 also creates a newsource-destination link 110′ between the n^(th) source node 106N and thedestination node 108 over which the data traffic 114 can be exchanged.In the meantime, the MitMP module₁ 118A, operating in the decommissionedsource node 106′, can generate and send the MitMP module-generated datatraffic 134 to the MitM attacker 112. In this manner, the MitM attacker112 will see the MitMP module-generated data traffic 134 (i.e., fakedata traffic) instead of the data traffic 114 (i.e., real data traffic).Since the MitMP module-generated data traffic 134 is generated, by theMitMP module₁ 118A, based upon one or more characteristics of the datatraffic 114, the MitMP module-generated data traffic 134 will appearsimilar to the data traffic 114 from the perspective of the MitMattacker 112. Accordingly, the MitM attacker 112 can be misdirected intothinking the MitM attack is/was successful.

Turning now to FIG. 2 , a flow diagram illustrating aspects of a method200 for protecting against MitM attacks in virtualization environments,such as the virtualization environment 102, will be described, accordingto an illustrative embodiment. It should be understood that theoperations of the methods disclosed herein are not necessarily presentedin any particular order and that performance of some or all of theoperations in an alternative order(s) is possible and is contemplated.The operations have been presented in the demonstrated order for ease ofdescription and illustration. Operations may be added, omitted, and/orperformed simultaneously, without departing from the scope of theconcepts and technologies disclosed herein.

It also should be understood that the methods disclosed herein can beended at any time and need not be performed in its entirety. Some or alloperations of the methods, and/or substantially equivalent operations,can be performed by execution of computer-readable instructions includedon a computer storage media, as defined herein. The term“computer-readable instructions,” and variants thereof, as used herein,is used expansively to include routines, applications, applicationmodules, program modules, programs, components, data structures,algorithms, and the like. Computer-readable instructions can beimplemented on various system configurations including single-processoror multiprocessor systems or devices, minicomputers, mainframecomputers, personal computers, hand-held computing devices,microprocessor-based, programmable consumer electronics, combinationsthereof, and the like.

Thus, it should be appreciated that the logical operations describedherein are implemented (1) as a sequence of computer implemented acts orprogram modules running on a computing system and/or (2) asinterconnected machine logic circuits or circuit modules within thecomputing system. The implementation is a matter of choice dependent onthe performance and other requirements of the computing system.Accordingly, the logical operations described herein are referred tovariously as states, operations, structural devices, acts, or modules.These states, operations, structural devices, acts, and modules may beimplemented in software, in firmware, in special purpose digital logic,and any combination thereof. As used herein, the phrase “cause aprocessor to perform operations” and variants thereof is used to referto causing one or more processors, or components thereof, and/or one ormore other computing systems, network components, and/or devicesdisclosed herein, and/or virtualizations thereof, to perform operations.

For purposes of illustrating and describing some of the concepts of thepresent disclosure, the method 200 will be described as being performed,at least in part, by the MitMP module₁ 118A of the source node106/decommissioned source node 106′ (hereinafter the MitMP module 118).It should be understood that additional and/or alternative devices canprovide the functionality described herein via execution of one or moremodules, applications, and/or other software. Thus, the illustratedembodiments are illustrative, and should not be viewed as being limitingin any way.

The method 200 will be described with additional reference to FIG. 1 .The method 200 begins and proceeds to operation 202. At operation 202,the MitMP module 118 monitors the data traffic 114 exchanged between thesource node 106 and the destination node 108 over the source-destinationlink 110 via the network 104. From operation 202, the method 200proceeds to operation 204. At operation 204, the MitMP module 118utilizes the traffic probe packet(s) 122 to determine packet delay. TheMitMP module 118 can generate and send the traffic probe packet(s) 122towards the destination node 108. The MitMP module 118 can record a“sent” time for when the traffic probe packet 122 was sent. The MitMPmodule 118 also can record a “receipt” time for when the traffic probepacket 122 was received by the destination node 108. The “sent” and“receipt” times can be used to determine a packet delay. Over time, theMitMP module 118 can average the packet delays of multiple traffic probepackets 122 to determine an average packet delay. It should beunderstood, however, that a single traffic probe packet delay value maybe used in some circumstances.

From operation 204, the method 200 proceeds to operation 206. Atoperation 206, the MitMP module 118 stores the packet delay value(s)using the distributed ledger 120. From operation 206, the method 200proceeds to operation 208. At operation 208, the MitMP module 118 usesthe distributed ledger 120 to map out the network 104 with the mostrecent packet delay values, which can include the most recent averagepacket delay value for each link (e.g., the source-destination link 110)in the network 104, or strictly the most recent packet delay value.

From operation 208, the method 200 proceeds to operation 210. Atoperation 210, the MitMP module 118 determines if the packet delay valuefor the specified link (i.e., the source-destination link 110 in thisexample) is greater than a normal delay value. The normal delay valuecan be determined over time by the traffic probe packets 122. A packetdelay value that is less than the normal delay value causes the method200 to revert back to operation 202, where the MitMP module 118continues to monitor the data traffic 114. If, however, the packet delayvalue is determined, at operation 210, to be greater than the normaldelay value, the method 200 proceeds to operation 212. At operation 212,the MitMP module 118 commands its local VM (i.e., the VM₁ 116A in thisexample) to be decommissioned. In FIG. 1A, the VM₁ 116A is shownoperating on the source node 106 prior to receiving the command from theMitMP module 118 to be decommissioned. In FIG. 1B, the decommissionedVM₁ 116A′ is shown in association with the decommissioned source node106′ after receiving, from the MitMP module 118, the command to bedecommissioned.

From operation 212, the method 200 proceeds to operation 214. Atoperation 214, the MitMP module 118 instructs the virtualizationorchestrator 126 to create a new node (best shown in FIG. 1B as sourcenodeN 106N) with a new VM (best shown in FIG. 1B as VMN 116N) and a newMitMP module (best shown in FIG. 1B as MitMP moduleN 118N). In response,the virtualization orchestrator 126 can create the source nodeN 106N,the VMN 116N, and the MitMP moduleN 118N using the virtualizationresources 130.

From operation 214, the method 200 proceeds to operation 216. Atoperation 216, the MitMP module 118 of the decommissioned source node106′ creates MitMP module-generated data traffic 134. In someembodiments, the MitMP module-generated data traffic 134 can begenerated, by the MitMP module₁ 118A, based upon one or morecharacteristics of the data traffic 114. For example, the MitMP module₁118A may generate replica data packets of the data packets contained inthe data traffic 114 with the same payload size and header informationbut with different raw data. The raw data can be randomly orpseudo-randomly generated or can be sourced from a database (not shown)of expired or otherwise no longer relevant data.

From operation 216, the method 200 proceeds to operation 218. Atoperation 218, the MitMP module₁ 118A sends the MitMP module-generateddata traffic 134 towards the MitM attacker 112 on the (old)source-destination link 110 (shown in FIG. 1B). In this manner, the MitMattacker 112 will see the MitMP module-generated data traffic 134 (i.e.,fake traffic) instead of the data traffic 114 (i.e., real traffic).Since the MitMP module-generated data traffic 134 is generated, by theMitMP module₁ 118A, based upon one or more characteristics of the datatraffic 114, the MitMP module-generated data traffic 134 will appearsimilar to the data traffic 114 from the perspective of the MitMattacker 112. Accordingly, the MitM attacker 112 can be misdirected intothinking the MitM attack is/was successful.

From operation 218, the method 200 proceeds to operation 220. The method200 can end at operation 220.

FIG. 3 is a block diagram illustrating a computer system 300 configuredto perform various operations disclosed herein. Aspects of the conceptsand technologies disclosed herein can be implemented, at least in part,by the computer system 300. The computer system 300 includes aprocessing unit 302, a memory 304, one or more user interface devices306, one or more input/output (“I/O”) devices 308, and one or morenetwork devices 310, each of which is operatively connected to a systembus 312. The system bus 312 enables bi-directional communication betweenthe processing unit 302, the memory 304, the user interface devices 306,the I/O devices 308, and the network devices 310.

The processing unit 302 might be a standard central processor thatperforms arithmetic and logical operations, a more specific purposeprogrammable logic controller (“PLC”), a programmable gate array, orother type of processor known to those skilled in the art and suitablefor controlling the operation of the computer system 300. Processingunits are generally known, and therefore are not described in furtherdetail herein.

The memory 304 communicates with the processing unit 302 via the systembus 312. In some embodiments, the memory 304 is operatively connected toa memory controller (not shown) that enables communication with theprocessing unit 302 via the system bus 312. The illustrated memory 304includes an operating system 314 and one or more applications 316. Theoperating system 314 can include, but is not limited to, members of theWINDOWS, WINDOWS CE, WINDOWS MOBILE, and/or WINDOWS PHONE families ofoperating systems from MICROSOFT CORPORATION, the LINUX family ofoperating systems, the SYMBIAN family of operating systems from SYMBIANLIMITED, the BREW family of operating systems from QUALCOMM CORPORATION,the MAC OS and/or iOS families of operating systems from APPLE INC., theFREEB SD family of operating systems, the SOLARIS family of operatingsystems from ORACLE CORPORATION, other operating systems such asproprietary operating systems, and the like.

The user interface devices 306 may include one or more devices withwhich a user accesses the computer system 300. The user interfacedevices 306 may include, but are not limited to, computers, servers,personal digital assistants, telephones (e.g., cellular, IP, orlandline), or any suitable computing devices. The I/O devices 308 enablea user to interface with the program modules. In one embodiment, the I/Odevices 308 are operatively connected to an I/O controller (not shown)that enables communication with the processing unit 302 via the systembus 312. The I/O devices 308 may include one or more input devices, suchas, but not limited to, a keyboard, a mouse, a touchscreen, or anelectronic stylus. Further, the I/O devices 308 may include one or moreoutput devices, such as, but not limited to, a display screen or aprinter. An I/O device 308 embodied as a display screen can be used topresent information.

The network devices 310 enable the computer system 300 to communicatewith a network 318, which can be or can include the network 104, theInternet, or some combination thereof. Examples of the network devices310 include, but are not limited to, a modem, a radio frequency (“RF”)or infrared (“IR”) transceiver, a telephonic interface, a bridge, arouter, or a network card. The network 318 may include a wirelessnetwork such as, but not limited to, a WLAN such as a WI-FI network, aWWAN, a wireless PAN (“WPAN”) such as BLUETOOTH, or a wireless MAN(“WMAN”). Alternatively, the network 318 may be a wired network such as,but not limited to, a WAN such as the Internet, a LAN such as theEthernet, a wired PAN, or a wired MAN.

Turning now to FIG. 4 , an illustrative mobile device 400 and componentsthereof will be described. Aspects of the concepts and technologiesdisclosed herein can be implemented, at least in part, by the mobiledevice 400. While connections are not shown between the variouscomponents illustrated in FIG. 4 , it should be understood that some,none, or all of the components illustrated in FIG. 4 can be configuredto interact with one another to carry out various device functions. Insome embodiments, the components are arranged so as to communicate viaone or more busses (not shown). Thus, it should be understood that FIG.4 and the following description are intended to provide a generalunderstanding of a suitable environment in which various aspects ofembodiments can be implemented, and should not be construed as beinglimiting in any way.

As illustrated in FIG. 4 , the mobile device 400 can include a display402 for displaying data. According to various embodiments, the display402 can be configured to display various GUI elements, text, images,video, virtual keypads and/or keyboards, messaging data, notificationmessages, metadata, Internet content, device status, time, date,calendar data, device preferences, map and location data, combinationsthereof, and/or the like. The mobile device 400 also can include aprocessor 404 and a memory or other data storage device (“memory”) 406.The processor 404 can be configured to process data and/or can executecomputer-executable instructions stored in the memory 406. Thecomputer-executable instructions executed by the processor 404 caninclude, for example, an operating system 408, one or more applications410, other computer-executable instructions stored in the memory 406, orthe like. In some embodiments, the applications 410 also can include aUI application (not illustrated in FIG. 4 ).

The UI application can interface with the operating system 408 tofacilitate user interaction with functionality and/or data stored at themobile device 400 and/or stored elsewhere. In some embodiments, theoperating system 408 can include a member of the SYMBIAN OS family ofoperating systems from SYMBIAN LIMITED, a member of the WINDOWS MOBILEOS and/or WINDOWS PHONE OS families of operating systems from MICROSOFTCORPORATION, a member of the PALM WEBOS family of operating systems fromHEWLETT PACKARD CORPORATION, a member of the BLACKBERRY OS family ofoperating systems from RESEARCH IN MOTION LIMITED, a member of the MSfamily of operating systems from APPLE INC., a member of the ANDROID OSfamily of operating systems from GOOGLE INC., and/or other operatingsystems. These operating systems are merely illustrative of somecontemplated operating systems that may be used in accordance withvarious embodiments of the concepts and technologies described hereinand therefore should not be construed as being limiting in any way.

The UI application can be executed by the processor 404 to aid a user inentering/deleting data, entering and setting user IDs and passwords fordevice access, configuring settings, manipulating content and/orsettings, multimode interaction, interacting with other applications410, and otherwise facilitating user interaction with the operatingsystem 408, the applications 410, and/or other types or instances ofdata 412 that can be stored at the mobile device 400.

The applications 410, the data 412, and/or portions thereof can bestored in the memory 406 and/or in a firmware 414, and can be executedby the processor 404. The firmware 414 also can store code for executionduring device power up and power down operations. It can be appreciatedthat the firmware 414 can be stored in a volatile or non-volatile datastorage device including, but not limited to, the memory 406 and/or aportion thereof.

The mobile device 400 also can include an input/output (“I/O”) interface416. The I/O interface 416 can be configured to support the input/outputof data such as location information, presence status information, userIDs, passwords, and application initiation (start-up) requests. In someembodiments, the I/0 interface 416 can include a hardwire connectionsuch as a universal serial bus (“USB”) port, a mini-USB port, amicro-USB port, an audio jack, a PS2 port, an IEEE 1394 (“FIREWIRE”)port, a serial port, a parallel port, an Ethernet (RJ45) port, an RJ11port, a proprietary port, combinations thereof, or the like. In someembodiments, the mobile device 400 can be configured to synchronize withanother device to transfer content to and/or from the mobile device 400.In some embodiments, the mobile device 400 can be configured to receiveupdates to one or more of the applications 410 via the I/O interface416, though this is not necessarily the case. In some embodiments, theI/0 interface 416 accepts I/O devices such as keyboards, keypads, mice,interface tethers, printers, plotters, external storage,touch/multi-touch screens, touch pads, trackballs, joysticks,microphones, remote control devices, displays, projectors, medicalequipment (e.g., stethoscopes, heart monitors, and other health metricmonitors), modems, routers, external power sources, docking stations,combinations thereof, and the like. It should be appreciated that theI/O interface 416 may be used for communications between the mobiledevice 400 and a network device or local device.

The mobile device 400 also can include a communications component 418.The communications component 418 can be configured to interface with theprocessor 404 to facilitate wired and/or wireless communications withone or more networks, such as the network 104, the Internet, or somecombination thereof. In some embodiments, the communications component418 includes a multimode communications subsystem for facilitatingcommunications via the cellular network and one or more other networks.

The communications component 418, in some embodiments, includes one ormore transceivers. The one or more transceivers, if included, can beconfigured to communicate over the same and/or different wirelesstechnology standards with respect to one another. For example, in someembodiments, one or more of the transceivers of the communicationscomponent 418 may be configured to communicate using Global System forMobile communications (“GSM”), Code-Division Multiple Access (“CDMA”)CDMAONE, CDMA2000, Long-Term Evolution (“LTE”) LTE, and various other2G, 2.5G, 3G, 4G, 4.5G, 5G, and greater generation technology standards.Moreover, the communications component 418 may facilitate communicationsover various channel access methods (which may or may not be used by theaforementioned standards) including, but not limited to, Time-DivisionMultiple Access (“TDMA”), Frequency-Division Multiple Access (“FDMA”),Wideband CDMA (“W-CDMA”), Orthogonal Frequency-Division Multiple Access(“OFDMA”), Space-Division Multiple Access (“SDMA”), and the like.

In addition, the communications component 418 may facilitate datacommunications using General Packet Radio Service (“GPRS”), EnhancedData services for Global Evolution (“EDGE”), the High-Speed PacketAccess (“HSPA”) protocol family including High-Speed Downlink PacketAccess (“HSDPA”), Enhanced Uplink (“EUL”) (also referred to asHigh-Speed Uplink Packet Access (“HSUPA”), HSPA+, and various othercurrent and future wireless data access standards. In the illustratedembodiment, the communications component 418 can include a firsttransceiver (“TxRx”) 420A that can operate in a first communicationsmode (e.g., GSM). The communications component 418 also can include anN^(th) transceiver (“TxRx”) 420N that can operate in a secondcommunications mode relative to the first transceiver 420A (e.g., UMTS).While two transceivers 420A-420N (hereinafter collectively and/orgenerically referred to as “transceivers 420”) are shown in FIG. 4 , itshould be appreciated that less than two, two, and/or more than twotransceivers 420 can be included in the communications component 418.

The communications component 418 also can include an alternativetransceiver (“Alt TxRx”) 422 for supporting other types and/or standardsof communications. According to various contemplated embodiments, thealternative transceiver 422 can communicate using various communicationstechnologies such as, for example, WI-FI, WIMAX, BLUETOOTH, infrared,infrared data association (“IRDA”), near field communications (“NFC”),other RF technologies, combinations thereof, and the like. In someembodiments, the communications component 418 also can facilitatereception from terrestrial radio networks, digital satellite radionetworks, internet-based radio service networks, combinations thereof,and the like. The communications component 418 can process data from anetwork such as the Internet, an intranet, a broadband network, a WI-FIhotspot, an Internet service provider (“ISP”), a digital subscriber line(“DSL”) provider, a broadband provider, combinations thereof, or thelike.

The mobile device 400 also can include one or more sensors 424. Thesensors 424 can include temperature sensors, light sensors, air qualitysensors, movement sensors, accelerometers, magnetometers, gyroscopes,infrared sensors, orientation sensors, noise sensors, microphonesproximity sensors, combinations thereof, and/or the like. Additionally,audio capabilities for the mobile device 400 may be provided by an audioI/O component 426. The audio I/O component 426 of the mobile device 400can include one or more speakers for the output of audio signals, one ormore microphones for the collection and/or input of audio signals,and/or other audio input and/or output devices.

The illustrated mobile device 400 also can include a subscriber identitymodule (“SIM”) system 428. The SIM system 428 can include a universalSIM (“USIM”), a universal integrated circuit card (“UICC”) and/or otheridentity devices. The SIM system 428 can include and/or can be connectedto or inserted into an interface such as a slot interface 430. In someembodiments, the slot interface 430 can be configured to acceptinsertion of other identity cards or modules for accessing various typesof networks. Additionally, or alternatively, the slot interface 430 canbe configured to accept multiple subscriber identity cards. Becauseother devices and/or modules for identifying users and/or the mobiledevice 400 are contemplated, it should be understood that theseembodiments are illustrative, and should not be construed as beinglimiting in any way.

The mobile device 400 also can include an image capture and processingsystem 432 (“image system”). The image system 432 can be configured tocapture or otherwise obtain photos, videos, and/or other visualinformation. As such, the image system 432 can include cameras, lenses,charge-coupled devices (“CCDs”), combinations thereof, or the like. Themobile device 400 may also include a video system 434. The video system434 can be configured to capture, process, record, modify, and/or storevideo content. Photos and videos obtained using the image system 432 andthe video system 434, respectively, may be added as message content toan MMS message, email message, and sent to another device. The videoand/or photo content also can be shared with other devices via varioustypes of data transfers via wired and/or wireless communication devicesas described herein.

The mobile device 400 also can include one or more location components436. The location components 436 can be configured to send and/orreceive signals to determine a geographic location of the mobile device400. According to various embodiments, the location components 436 cansend and/or receive signals from global positioning system (“GPS”)devices, assisted-GPS (“A-GPS”) devices, WI-FUWIMAX and/or cellularnetwork triangulation data, combinations thereof, and the like. Thelocation component 436 also can be configured to communicate with thecommunications component 418 to retrieve triangulation data fordetermining a location of the mobile device 400. In some embodiments,the location component 436 can interface with cellular network nodes,telephone lines, satellites, location transmitters and/or beacons,wireless network transmitters and receivers, combinations thereof, andthe like. In some embodiments, the location component 436 can includeand/or can communicate with one or more of the sensors 424 such as acompass, an accelerometer, and/or a gyroscope to determine theorientation of the mobile device 400. Using the location component 436,the mobile device 400 can generate and/or receive data to identify itsgeographic location, or to transmit data used by other devices todetermine the location of the mobile device 400. The location component436 may include multiple components for determining the location and/ororientation of the mobile device 400.

The illustrated mobile device 400 also can include a power source 438.The power source 438 can include one or more batteries, power supplies,power cells, and/or other power subsystems including alternating current(“AC”) and/or direct current (“DC”) power devices. The power source 438also can interface with an external power system or charging equipmentvia a power I/0 component 440. Because the mobile device 400 can includeadditional and/or alternative components, the above embodiment should beunderstood as being illustrative of one possible operating environmentfor various embodiments of the concepts and technologies describedherein. The described embodiment of the mobile device 400 isillustrative, and should not be construed as being limiting in any way.

As used herein, communication media includes computer-executableinstructions, data structures, program modules, or other data in amodulated data signal such as a carrier wave or other transportmechanism and includes any delivery media. The term “modulated datasignal” means a signal that has one or more of its characteristicschanged or set in a manner as to encode information in the signal. Byway of example, and not limitation, communication media includes wiredmedia such as a wired network or direct-wired connection, and wirelessmedia such as acoustic, RF, infrared, and other wireless media.Combinations of any of the above should also be included within thescope of computer-readable media.

By way of example, and not limitation, computer storage media mayinclude volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage of information suchas computer-executable instructions, data structures, program modules,or other data. For example, computer media includes, but is not limitedto, RAM, ROM, EPROM, EEPROM, flash memory or other solid state memorytechnology, CD-ROM, digital versatile disks (“DVD”), HD-DVD, BLU-RAY, orother optical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed bythe mobile device 400 or other devices or computers described herein,such as the computer system 300 described above with reference to FIG. 3. For purposes of the claims, the phrase “computer-readable storagemedium” and variations thereof, does not include waves, signals, and/orother transitory and/or intangible communication media, per se.

Encoding the software modules presented herein also may transform thephysical structure of the computer-readable media presented herein. Thespecific transformation of physical structure may depend on variousfactors, in different implementations of this description. Examples ofsuch factors may include, but are not limited to, the technology used toimplement the computer-readable media, whether the computer-readablemedia is characterized as primary or secondary storage, and the like.For example, if the computer-readable media is implemented assemiconductor-based memory, the software disclosed herein may be encodedon the computer-readable media by transforming the physical state of thesemiconductor memory. For example, the software may transform the stateof transistors, capacitors, or other discrete circuit elementsconstituting the semiconductor memory. The software also may transformthe physical state of such components in order to store data thereupon.

As another example, the computer-readable media disclosed herein may beimplemented using magnetic or optical technology. In suchimplementations, the software presented herein may transform thephysical state of magnetic or optical media, when the software isencoded therein. These transformations may include altering the magneticcharacteristics of particular locations within given magnetic media.These transformations also may include altering the physical features orcharacteristics of particular locations within given optical media, tochange the optical characteristics of those locations. Othertransformations of physical media are possible without departing fromthe scope and spirit of the present description, with the foregoingexamples provided only to facilitate this discussion.

In light of the above, it should be appreciated that many types ofphysical transformations may take place in the mobile device 400 inorder to store and execute the software components presented herein. Itis also contemplated that the mobile device 400 may not include all ofthe components shown in FIG. 4 , may include other components that arenot explicitly shown in FIG. 4 , or may utilize an architecturecompletely different than that shown in FIG. 4 .

Turning now to FIG. 5 , details of a network 500 are illustrated,according to an illustrative embodiment. The network 104 (FIG. 1 ) canbe or can include at least a portion of the network 500. The network 500includes a cellular network 502, a packet data network 504, and acircuit switched network 506 (e.g., a public switched telephonenetwork).

The cellular network 502 includes various components such as, but notlimited to, base transceiver stations (“BTSs”), Node-Bs or e-Node-Bs,base station controllers (“B SCs”), radio network controllers (“RNCs”),mobile switching centers (“MSCs”), mobility management entities(“MMEs”), short message service centers (“SMSCs”), multimedia messagingservice centers (“MMSCs”), home location registers (“HLRs”), homesubscriber servers (“HS Ss”), visitor location registers (“VLRs”),charging platforms, billing platforms, voicemail platforms, GPRS corenetwork components, location service nodes, and the like. The cellularnetwork 502 also includes radios and nodes for receiving andtransmitting voice, data, and combinations thereof to and from radiotransceivers, networks, the packet data network 504, and the circuitswitched network 506.

A mobile communications device 508, such as, for example, a cellulartelephone, a user equipment, a mobile terminal, a PDA, a laptopcomputer, a handheld computer, and combinations thereof, can beoperatively connected to the cellular network 502. The cellular network502 can be configured as a GSM) network and can provide datacommunications via GPRS and/or EDGE. Additionally, or alternatively, thecellular network 502 can be configured as a 3G Universal MobileTelecommunications System (“UMTS”) network and can provide datacommunications via the HSPA protocol family, for example, HSDPA, EUL,and HSPA+. The cellular network 502 also is compatible with 4G mobilecommunications standards such as LTE, or the like, as well as evolvedand future mobile standards.

The packet data network 504 includes various systems/devices, forexample, the source node 106, the destination node 108, the new sourcenodeN 106N, the virtualization orchestrator 126, other servers, othersystems, computers, databases, and other devices in communication withone another, as is generally known. In some embodiments, the packet datanetwork 504 is or includes one or more WI-FI networks, each of which caninclude one or more WI-FI access points, routers, switches, and otherWI-FI network components. The packet data network 504 devices areaccessible via one or more network links. The servers often storevarious files that are provided to a requesting device such as, forexample, a computer, a terminal, a smartphone, or the like. Typically,the requesting device includes software for executing a web page in aformat readable by the browser or other software. Other files and/ordata may be accessible via “links” in the retrieved files, as isgenerally known. In some embodiments, the packet data network 504includes or is in communication with the Internet. The circuit switchednetwork 506 includes various hardware and software for providing circuitswitched communications. The circuit switched network 506 may include,or may be, what is often referred to as a plain old telephone system(“POTS”). The functionality of a circuit switched network 506 or othercircuit-switched network are generally known and will not be describedherein in detail.

The illustrated cellular network 502 is shown in communication with thepacket data network 504 and a circuit switched network 506, though itshould be appreciated that this is not necessarily the case. One or moreInternet-capable devices 510 a PC, a laptop, a portable device, oranother suitable device, can communicate with one or more cellularnetworks 502, and devices connected thereto, through the packet datanetwork 504. It also should be appreciated that the Internet-capabledevice 510 can communicate with the packet data network 504 through thecircuit switched network 506, the cellular network 502, and/or via othernetworks (not illustrated).

As illustrated, a communications device 512, for example, a telephone,facsimile machine, modem, computer, or the like, can be in communicationwith the circuit switched network 506, and therethrough to the packetdata network 504 and/or the cellular network 502. It should beappreciated that the communications device 512 can be anInternet-capable device, and can be substantially similar to theInternet-capable device 510.

Turning now to FIG. 6 , a cloud computing platform 600 will bedescribed, according to an exemplary embodiment. The architecture of thecloud computing platform 600 can be utilized to implement variouselements disclosed herein, including, for example, the virtualizationenvironment 102. The cloud computing platform 600 is a sharedinfrastructure that can support multiple services and networkapplications. The illustrated cloud computing platform 600 includes ahardware resource layer 602, a virtualization/control layer 604, and avirtual resource layer 606 that work together to perform operations aswill be described in detail herein.

The hardware resource layer 602 provides hardware resources, which, inthe illustrated embodiment, include one or more compute resources 608,one or more memory resources 610, and one or more other resources 612.The compute resource(s) 608 can include one or more hardware componentsthat perform computations to process data, and/or to executecomputer-executable instructions of one or more application programs,operating systems, and/or other software. The compute resources 608 caninclude one or more central processing units (“CPUs”) configured withone or more processing cores. The compute resources 608 can include oneor more graphics processing unit (“GPU”) configured to accelerateoperations performed by one or more CPUs, and/or to perform computationsto process data, and/or to execute computer-executable instructions ofone or more application programs, operating systems, and/or othersoftware that may or may not include instructions particular to graphicscomputations. In some embodiments, the compute resources 608 can includeone or more discrete GPUs. In some other embodiments, the computeresources 608 can include CPU and GPU components that are configured inaccordance with a co-processing CPU/GPU computing model, wherein thesequential part of an application executes on the CPU and thecomputationally-intensive part is accelerated by the GPU. The computeresources 608 can include one or more system-on-chip (“SoC”) componentsalong with one or more other components, including, for example, one ormore of the memory resources 610, and/or one or more of the otherresources 612. In some embodiments, the compute resources 608 can be orcan include one or more SNAPDRAGON SoCs, available from QUALCOMM of SanDiego, California; one or more TEGRA SoCs, available from NVIDIA ofSanta Clara, California; one or more HUMMINGBIRD SoCs, available fromSAMSUNG of Seoul, South Korea; one or more Open Multimedia ApplicationPlatform (“OMAP”) SoCs, available from TEXAS INSTRUMENTS of Dallas,Texas; one or more customized versions of any of the above SoCs; and/orone or more proprietary SoCs. The compute resources 608 can be or caninclude one or more hardware components architected in accordance withan advanced reduced instruction set computing (“RISC”) (“ARM”)architecture, available for license from ARM HOLDINGS of Cambridge,United Kingdom. Alternatively, the compute resources 608 can be or caninclude one or more hardware components architected in accordance withan x86 architecture, such an architecture available from INTELCORPORATION of Mountain View, Calif., and others. Those skilled in theart will appreciate the implementation of the compute resources 608 canutilize various computation architectures, and as such, the computeresources 608 should not be construed as being limited to any particularcomputation architecture or combination of computation architectures,including those explicitly disclosed herein.

The memory resource(s) 610 can include one or more hardware componentsthat perform storage operations, including temporary or permanentstorage operations. In some embodiments, the memory resource(s) 610include volatile and/or non-volatile memory implemented in any method ortechnology for storage of information such as computer-readableinstructions, data structures, program modules, or other data disclosedherein. Computer storage media includes, but is not limited to, randomaccess memory (“RAM”), read-only memory (“ROM”), Erasable ProgrammableROM (“EPROM”), Electrically Erasable Programmable ROM (“EEPROM”), flashmemory or other solid state memory technology, CD-ROM, digital versatiledisks (“DVD”), or other optical storage, magnetic cassettes, magnetictape, magnetic disk storage or other magnetic storage devices, or anyother medium which can be used to store data and which can be accessedby the compute resources 608.

The other resource(s) 612 can include any other hardware resources thatcan be utilized by the compute resources(s) 608 and/or the memoryresource(s) 610 to perform operations described herein. The otherresource(s) 612 can include one or more input and/or output processors(e.g., network interface controller or wireless radio), one or moremodems, one or more codec chipset, one or more pipeline processors, oneor more fast Fourier transform (“FFT”) processors, one or more digitalsignal processors (“DSPs”), one or more speech synthesizers, and/or thelike.

The hardware resources operating within the hardware resource layer 602can be virtualized by one or more virtual machine monitors (“VMMs”)614A-614K (also known as “hypervi sors;” hereinafter “VMMs 614”)operating within the virtualization/control layer 604 to manage one ormore virtual resources that reside in the virtual resource layer 606.The VMMs 614 can be or can include software, firmware, and/or hardwarethat alone or in combination with other software, firmware, and/orhardware, manages one or more virtual resources operating within thevirtual resource layer 606.

The virtual resources operating within the virtual resource layer 606can include abstractions of at least a portion of the compute resources608, the memory resources 610, the other resources 612, or anycombination thereof. These abstractions are referred to herein as VMs.In the illustrated embodiment, the virtual resource layer 606 includesVMs 616A-616N (hereinafter “VMs 616;” e.g., the VM₁ 116A, the VM2 116B,and the VMN 116N). Each of the VMs 616 can execute one or moreapplications to perform the operations described herein.

Based on the foregoing, it should be appreciated that concepts andtechnologies for protection against MitM attacks in virtualizationenvironments have been disclosed herein. Although the subject matterpresented herein has been described in language specific to computerstructural features, methodological and transformative acts, specificcomputing machinery, and computer-readable media, it is to be understoodthat the invention defined in the appended claims is not necessarilylimited to the specific features, acts, or media described herein.Rather, the specific features, acts and mediums are disclosed as exampleforms of implementing the claims.

The subject matter described above is provided by way of illustrationonly and should not be construed as limiting. Various modifications andchanges may be made to the subject matter described herein withoutfollowing the example embodiments and applications illustrated anddescribed, and without departing from the true spirit and scope of thesubject disclosure.

1. A method comprising: monitoring, by a system comprising a processorexecuting a man-in-the-middle protection module, data traffic between asource node and a destination node via a network; determining, by thesystem, a packet delay value associated with the data traffic;determining, by the system, based upon the packet delay value that aman-in-the-middle attacker has compromised the data traffic;decommissioning, by the system, a virtual machine operating on thesource node; instructing, by the system, a virtualization orchestratorto create a new virtual machine and a new source node, wherein the datatraffic is rerouted to be exchanged between the new source node and thedestination node via the network; creating, by the system, fake datatraffic comprising replica data packets of data packets contained in thedata traffic; and sending, by the system, the fake data traffic towardsthe man-in-the-middle attacker via the network.
 2. The method of claim1, further comprising causing, by the system, the packet delay value tobe stored in a distributed ledger.
 3. The method of claim 2, wherein thepacket delay value comprises an average packet delay value.
 4. Themethod of claim 2, further comprising mapping, by the system, thenetwork with a most recent packet delay value for each link in thenetwork.
 5. The method of claim 1, wherein creating, by the system, thefake data traffic comprises creating, by the system, the fake datatraffic based upon a characteristic of the data traffic.
 6. The methodof claim 5, wherein the characteristic of the data traffic comprises asame payload size or a same header datum.
 7. The method of claim 6,wherein the fake data traffic comprises raw data having the same payloadsize; and wherein the raw data is randomly generated, pseudo-randomlygenerated, expired, or otherwise no longer relevant to the data traffic.8. A computer-readable storage medium having computer-executableinstructions of a man-in-the-middle protection module stored thereonthat, when executed by a processor, cause the processor to performoperations comprising: monitoring data traffic between a source node anda destination node via a network; determining a packet delay valueassociated with the data traffic; determining, based upon the packetdelay value that a man-in-the-middle attacker has compromised the datatraffic; decommissioning a virtual machine operating on the source node;instructing a virtualization orchestrator to create a new virtualmachine and a new source node, wherein the data traffic is rerouted tobe exchanged between the new source node and the destination node viathe network; creating fake data traffic comprising replica data packetsof data packets contained in the data traffic; and sending the fake datatraffic towards the man-in-the-middle attacker via the network.
 9. Thecomputer-readable storage medium of claim 8, wherein the operationsfurther comprise causing the packet delay value to be stored in adistributed ledger.
 10. The computer-readable storage medium of claim 9,wherein the packet delay value comprises an average packet delay value.11. The computer-readable storage medium of claim 9, wherein theoperations further comprise mapping the network with a most recentpacket delay value for each link in the network.
 12. Thecomputer-readable storage medium of claim 8, wherein creating the fakedata traffic comprises creating the fake data traffic based upon acharacteristic of the data traffic.
 13. The computer-readable storagemedium of claim 12, wherein the characteristic of the data trafficcomprises a same payload size or a same header datum.
 14. Thecomputer-readable storage medium of claim 13, wherein the fake datatraffic comprises raw data having the same payload size; and wherein theraw data is randomly generated, pseudo-randomly generated, expired, orotherwise no longer relevant to the data traffic.
 15. A systemcomprising: a processor; and a memory comprising instructions that, whenexecuted by the processor, cause the processor to perform operationscomprising monitoring data traffic between a source node and adestination node via a network, determining a packet delay valueassociated with the data traffic, determining, based upon the packetdelay value that a man-in-the-middle attacker has compromised the datatraffic, decommissioning a virtual machine operating on the source node,instructing a virtualization orchestrator to create a new virtualmachine and a new source node, wherein the data traffic is rerouted tobe exchanged between the new source node and the destination node viathe network, creating fake data traffic comprising replica data packetsof data packets contained in the data traffic, and sending the fake datatraffic towards the man-in-the-middle attacker via the network.
 16. Thesystem of claim 15, wherein the operations further comprise causing thepacket delay value to be stored in a distributed ledger.
 17. The systemof claim 16, wherein the packet delay value comprises an average packetdelay value.
 18. The system of claim 16, wherein the operations furthercomprise mapping the network with a most recent packet delay value foreach link in the network.
 19. The system of claim 15, wherein creatingthe fake data traffic comprises creating the fake data traffic basedupon a characteristic of the data traffic.
 20. The system of claim 19,wherein the characteristic of the data traffic comprises a same payloadsize; wherein the fake data traffic comprises raw data having the samepayload size; and wherein the raw data is randomly generated,pseudo-randomly generated, expired, or otherwise no longer relevant tothe data traffic.